What Kind of Threat Intelligence Are You Selling Me?
The threat intelligence market has not been well defined. This is a problem that frequently arises when marketing departments start playing buzzword bingo in a “me too” attempt to latch onto the latest trend. This year it’s happening with machine learning.
Unfortunately, the market response to this type of message pollution is to “lose faith” in the trend or technology, leaving nothing but the echoes of a melancholy Michael Stipe song. One of the challenges I faced when approaching my recent report on threat intelligence, was to try to make sense of a market where vendors frequently denigrate each other, referring to each other as “fake news” or “fake intelligence” or whatever. I’m exaggerating, but not by much. I’m sure we’ve all heard the “that’s not real intelligence” talk.
The important thing to understand is that there are a lot of “things” that can be considered threat intelligence, and there’s not really a requirement for any particular offering to exist for something to be considered threat intelligence. This leads to an interesting situation where multiple vendors are telling you they are selling the same thing (they aren’t), and you have to figure out how to justify a budget for it because in security — if you’re not keeping up with the trends, you’re falling behind best practices.
The title of my Vendor Landscape: External Threat Intelligence, 2017 report indicates an attempt to analyze the vendors in a particular segment of the threat intel market who offer externally sourced (to you) threat intelligence feeds as a service. In making this distinction, I originally dedicated a section to clarifying the types of offerings you will frequently come across. So straight from the cutting room floor, here is an explanation of various ways vendors will attempt to sell you threat intelligence:
- Threat Intelligence provided as a value proposition for goods or services. This type of value proposition dates to antivirus vendors who, before transitioning to the cloud, found they had more malware signatures than they could push down to an endpoint — so they would leverage intelligence to provide you with a set of indicators you were most likely to encounter (although it’s rarely discussed in these terms). In practice, we are now seeing this type of threat intelligence being implemented as sharing networks for technologies such as Palo Alto Networks’ WildFire, which automatically manages and disseminates threat data on unknown and previously unanalyzed threats in real-time to other customers.
- Internal intelligence generated from within your organization. Products and services that provide insight into your networks serve as a critical source of intelligence. A lot of the time, you’re going to experience this with services companies who also sell product such as Endpoint Detection and Response (EDR) technologies that provide you visibility into your infrastructure. In fact, many digital forensics companies will leverage this type of endpoint technology through the course of an investigation to identify threats. While many vendors will not market this as being threat intelligence directly, it’s important to understand that you have these sources available to you.
- Subscriptions to externally sourced information which may be intelligence. External threat intelligence is the work product of data collected outside your organization. While only the most advanced intelligence capabilities are going to have their own operatives and collection infrastructure (a level of sophistication usually reserved for nation-state level tradecraft), external threat intelligence vendors provide this type of intelligence as a subscription service. One challenge of engaging a vendor that services a number of verticals is you must assess the relevance of what you’re being provided. While hospitality companies may have a lot in common with retail in terms of online booking and card-present point-of-sale (POS) transactions, they will likely experience risk quite differently than a manufacturing company. Similarly, the level of processing or analysis performed on collected data will vary from vendor to vendor, allowing you to either tailor your collection strategy using their offerings, or set you up to struggle with the capability — if your organization isn’t equipped to consume the provided intelligence.
- Threat information exchanges are focused on information sharing. While closely related to the above types of vendors, information exchanges are differentiated in that they don’t generate the intelligence they are distributing. This offering is instead providing a framework or consortium for members to share threat intelligence. An example of this type of delivery include the National Retail Federation (NRF), an Information Sharing and Analysis Organization (ISAO) that allows member retailers the ability to share threat information to protect the pack. An advantage to this type of network is that the intelligence you’re obtaining is at least as relevant as the other organizations in your information exchange.
I receive a lot of inquiry from clients who are trying to figure out how to get started with a threat intelligence capability, how to develop an effective collection strategy, and what to do with this collected intelligence. Similarly, vendors are trying to figure out how to differentiate their offerings. It is my hope that this Vendor Landscape: External Threat Intelligence, 2017 report will answer these questions and serve as a guide for differentiating between the offerings of one subset of vendors discussed here, external threat intelligence providers.